Email Servers Sending High Volume Traffic To Hosts
This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server.
This content is not mapped to any local saved search. Add mapping
Email Servers Sending High Volume Traffic To Hosts Help
This search requires you to be ingesting your network traffic and populating the NetworkTraffic data model. Your email servers must be categorized as "emailserver" for the search to work, as well. You may need to adjust the deviationthreshold and minimumdatasamples values based on the network traffic in your environment. The "deviationthreshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimumdatasamples" field is the minimum number of connections of data samples required for the statistic to be valid.
Open in Search